building-soc-playbook-for-ransomware

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's runtime code (scripts/agent.py) explicitly uploads and fetches data from public sites—check_id_ransomware posts to https://id-ransomware.malwarehunterteam.com, query_malwarebazaar_hash posts to https://mb-api.abuse.ch, and query_nomoreransom GETs https://www.nomoreransom.org—and those responses are parsed into variant/IOC values that the agent uses to drive Splunk searches and host isolation actions, so untrusted third-party content can materially influence decisions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The playbook explicitly instructs privileged, state-changing actions (isolating hosts via EDR APIs, modifying firewall rules, disabling AD accounts, resetting krbtgt keys, disabling services, collecting memory/files) which modify machine and domain state and require elevated privileges, so it should be flagged.